Successfully reported this slideshow.

Distributed Identity via OpenID

2,067 views

Published on

Chances are, if you've been paying attention to the internet lately, you've probably heard about Federated and Distributed Identity. OpenID is one attempt to implement a federated approach to our already distributed identities across the internet. In this presentation, originally given at the Orlando Ruby User Group in December 2008, we explore what "federation" means, why you should use it, and how you could implement OpenID support in a Ruby app. Impressive from a PHP guy, huh?

Published in: Technology, Design
  • Be the first to comment

Distributed Identity via OpenID

  1. 1. OPENID AND THE CASE OF DISTRIBUTED IDENTITY EXPLORING THE PROBLEM OF DISTRIBUTED IDENTITY AND OFFERING SOME SOLUTIONS 1
  2. 2. WHAT ARE WE TALKING ABOUT? IDENTITY === AUTHENTICATION ? DIGITAL IDENTITY REFERS TO THE ASPECT OF DIGITAL TECHNOLOGY THAT IS CONCERNED WITH THE MEDIATION OF PEOPLE'S EXPERIENCE OF THEIR OWN IDENTITY AND THE IDENTITY OF OTHER PEOPLE AND THINGS. “DIGITAL IDENTITY” ALSO HAS ANOTHER COMMON USAGE AS THE DIGITAL REPRESENTATION OF A SET OF CLAIMS MADE BY ONE DIGITAL SUBJECT ABOUT ITSELF OR ANOTHER DIGITAL SUBJECT. IDENTITY == AUTHENTICATION 2
  3. 3. STANDARD AUTHENTICATION 3
  4. 4. STANDARD AUTHENTICATION A “USER” AGENT REQUESTS A “PAGE” RESOURCE 4
  5. 5. STANDARD AUTHENTICATION A “USER” AGENT REQUESTS A “PAGE” RESOURCE IS THE RESOURCE REQUESTED PUBLIC? 4
  6. 6. STANDARD AUTHENTICATION A “USER” AGENT REQUESTS A “PAGE” RESOURCE IS THE RESOURCE REQUESTED PUBLIC? IF NOT, IS THE REQUESTING AGENT AUTHENTICATED? 4
  7. 7. STANDARD AUTHENTICATION A “USER” AGENT REQUESTS A “PAGE” RESOURCE IS THE RESOURCE REQUESTED PUBLIC? IF NOT, IS THE REQUESTING AGENT AUTHENTICATED? IF NOT, IS THE REQUESTING AGENT REGISTERED? 4
  8. 8. STANDARD AUTHENTICATION IF “USER” IS REGISTERED BUT NOT AUTHENTICATED, THEN PRESENT THE “LOGIN” FORM... 5
  9. 9. STANDARD AUTHENTICATION IF “USER” IS REGISTERED BUT NOT AUTHENTICATED, THEN PRESENT THE “LOGIN” FORM... IF “USER” IS NEITHER AUTHENTICATED NOR REGISTERED, THEN PRESENT THE “REGISTRATION” FORM... 5
  10. 10. STANDARD AUTHENTICATION IF “USER” IS REGISTERED BUT NOT AUTHENTICATED, THEN PRESENT THE “LOGIN” FORM... IF “USER” IS NEITHER AUTHENTICATED NOR REGISTERED, THEN PRESENT THE “REGISTRATION” FORM... SIMILAR PROCESSING; SUCCESS RETURNS TO THE ORIGINAL REQUEST. 5
  11. 11. STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT INJECTION 6
  12. 12. STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT INJECTION UNIQUENESS OF LOCAL IDENTITY 6
  13. 13. STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT INJECTION UNIQUENESS OF LOCAL IDENTITY CREDENTIAL SECURITY PASSWORD STRENGTH 6
  14. 14. STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT INJECTION UNIQUENESS OF LOCAL IDENTITY CREDENTIAL SECURITY PASSWORD STRENGTH DATA STORE 6
  15. 15. STANDARD AUTHENTICATION INPUT FILTERING TO COMBAT SCRIPT ! !! INJECTION C UNIQUENESS OF LOCAL A HE S D IDENTITY H E A CREDENTIAL SECURITY PASSWORD STRENGTH DATA STORE 6
  16. 16. REP ETIT STANDARD AUTHENTICATION INPUT FILTERING TO ION !!! COMBAT SCRIPT ! !! INJECTION C UNIQUENESS OF LOCAL A HE S D IDENTITY H E A CREDENTIAL SECURITY PASSWORD STRENGTH DATA STORE 6
  17. 17. REP ETIT STANDARD AUTHENTICATION INPUT FILTERING TO ION !!! COMBAT SCRIPT ! !! INJECTION C UNIQUENESS OF LOCAL A HE S D IDENTITY A H E FAIL!!! CREDENTIAL SECURITY PASSWORD STRENGTH DATA STORE 6
  18. 18. INT RODUCI NG ! IDENTITY FEDERATION WHY CAN’T SOMEBODY ELSE DO ALL THIS FOR ME? BUT T NE W ! NO IM P R OVED 7
  19. 19. FEDERATED IDENTITY HOW THIS IS SUPPOSED TO WORK... 8
  20. 20. FEDERATED IDENTITY HOW THIS IS SUPPOSED TO WORK... 8
  21. 21. FEDERATION VIA OPENID 9
  22. 22. THAT SEEMS EASY... EVEN EASIER WITH EXISTING LIBRARIES: ZEND_OPENID FOR PHP5 RUBY-OPENID FOR RUBY NET::OPENID FOR PERL MOD_AUTH_OPENID FOR APACHE2 OPENID4JAVA FOR JAVA CHECK THE OPENID.NET WIKI FOR MORE...! 10
  23. 23. LET’S TRY IT OUT! views/openid/new.html.erb: $> openid_consumer defgem install ruby-openid complete create <html> $> Get the=OpenID parameter home_url # @openid_consumer.blank? ifscript/generate controller openid new create completequot;indexquot; url_for :controller => quot;openidquot;, :action => openid_consumer openid_url = params[:openid_url] complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; @openid_consumer = <head> OpenID::Consumer.new(session, <title>Log in with OpenID</title> openid_response = something # Make sure we gotopenid_consumer.complete(params, complete_url) </head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;)) if <body> endopenid_url.blank? session[:openid]=flash[:error].blank? %> try againquot; flash[:error] =quot;No OpenID was entered; <% if not openid_response.identity_url flash[:error] :back flash[:error] -%></b></p> return @openid_consumer redirect_to = quot;You have been logged in as '#{session[:openid]}'quot; <p><b><%= endreturn end %> redirect_to :action => quot;newquot; <% return end { } end <% form_tag quot;/openid/createquot; do %> # Get an OpenID response <%= text_field_tag quot;openid_urlquot; %> openid_response = openid_consumer.begin openid_url <%= submit_tag quot;Log in with OpenIDquot; %> <% end %> home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot; </body> </html> complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; openid_redirect_url = openid_response.redirect_url(home_url, complete_url) redirect_to openid_redirect_url return end HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104 11
  24. 24. LET’S TRY IT OUT! views/openid/new.html.erb: $> openid_consumer defgem install ruby-openid complete create <html> $> Get the=OpenID parameter home_url # @openid_consumer.blank? ifscript/generate controller openid new create completequot;indexquot; url_for :controller => quot;openidquot;, :action => openid_consumer openid_url = params[:openid_url] complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; @openid_consumer = <head> OpenID::Consumer.new(session, <title>Log in with OpenID</title> openid_response = something # Make sure we gotopenid_consumer.complete(params, complete_url) </head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;)) if <body> endopenid_url.blank? session[:openid]=flash[:error].blank? %> try againquot; flash[:error] =quot;No OpenID was entered; <% if not openid_response.identity_url flash[:error] :back flash[:error] -%></b></p> return @openid_consumer redirect_to = quot;You have been logged in as '#{session[:openid]}'quot; <p><b><%= endreturn end %> redirect_to :action => quot;newquot; <% return end { } end <% form_tag quot;/openid/createquot; do %> # Get an OpenID response <%= text_field_tag quot;openid_urlquot; %> openid_response = openid_consumer.begin openid_url <%= submit_tag quot;Log in with OpenIDquot; %> <% end %> home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot; </body> </html> complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; openid_redirect_url = openid_response.redirect_url(home_url, complete_url) redirect_to openid_redirect_url return end HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104 11
  25. 25. LET’S TRY IT OUT! views/openid/new.html.erb: $> openid_consumer defgem install ruby-openid complete create <html> $> Get the=OpenID parameter home_url # @openid_consumer.blank? ifscript/generate controller openid new create completequot;indexquot; url_for :controller => quot;openidquot;, :action => openid_consumer openid_url = params[:openid_url] complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; @openid_consumer = <head> OpenID::Consumer.new(session, <title>Log in with OpenID</title> openid_response = something # Make sure we gotopenid_consumer.complete(params, complete_url) </head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;)) if <body> endopenid_url.blank? session[:openid]=flash[:error].blank? %> try againquot; flash[:error] =quot;No OpenID was entered; <% if not openid_response.identity_url flash[:error] :back flash[:error] -%></b></p> return @openid_consumer redirect_to = quot;You have been logged in as '#{session[:openid]}'quot; <p><b><%= endreturn end %> redirect_to :action => quot;newquot; <% return end { } end <% form_tag quot;/openid/createquot; do %> # Get an OpenID response <%= text_field_tag quot;openid_urlquot; %> openid_response = openid_consumer.begin openid_url <%= submit_tag quot;Log in with OpenIDquot; %> <% end %> home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot; </body> </html> complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; openid_redirect_url = openid_response.redirect_url(home_url, complete_url) redirect_to openid_redirect_url return end HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104 11
  26. 26. LET’S TRY IT OUT! views/openid/new.html.erb: $> openid_consumer defgem install ruby-openid complete create <html> $> Get the=OpenID parameter home_url # @openid_consumer.blank? ifscript/generate controller openid new create completequot;indexquot; url_for :controller => quot;openidquot;, :action => openid_consumer openid_url = params[:openid_url] complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; @openid_consumer = <head> OpenID::Consumer.new(session, <title>Log in with OpenID</title> openid_response = something # Make sure we gotopenid_consumer.complete(params, complete_url) </head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;)) if <body> endopenid_url.blank? session[:openid]=flash[:error].blank? %> try againquot; flash[:error] =quot;No OpenID was entered; <% if not openid_response.identity_url flash[:error] :back flash[:error] -%></b></p> return @openid_consumer redirect_to = quot;You have been logged in as '#{session[:openid]}'quot; <p><b><%= endreturn end %> redirect_to :action => quot;newquot; <% return end { } end <% form_tag quot;/openid/createquot; do %> # Get an OpenID response <%= text_field_tag quot;openid_urlquot; %> openid_response = openid_consumer.begin openid_url <%= submit_tag quot;Log in with OpenIDquot; %> <% end %> home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot; </body> </html> complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; openid_redirect_url = openid_response.redirect_url(home_url, complete_url) redirect_to openid_redirect_url return end HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104 11
  27. 27. LET’S TRY IT OUT! views/openid/new.html.erb: $> openid_consumer defgem install ruby-openid complete create <html> $> Get the=OpenID parameter home_url # @openid_consumer.blank? ifscript/generate controller openid new create completequot;indexquot; url_for :controller => quot;openidquot;, :action => openid_consumer openid_url = params[:openid_url] complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; @openid_consumer = <head> OpenID::Consumer.new(session, <title>Log in with OpenID</title> openid_response = something # Make sure we gotopenid_consumer.complete(params, complete_url) </head>OpenID::Store::Filesystem.new(quot;#{RAILS_ROOT}/tmp/openidquot;)) if <body> endopenid_url.blank? session[:openid]=flash[:error].blank? %> try againquot; flash[:error] =quot;No OpenID was entered; <% if not openid_response.identity_url flash[:error] :back flash[:error] -%></b></p> return @openid_consumer redirect_to = quot;You have been logged in as '#{session[:openid]}'quot; <p><b><%= endreturn end %> redirect_to :action => quot;newquot; <% return end { } end <% form_tag quot;/openid/createquot; do %> # Get an OpenID response <%= text_field_tag quot;openid_urlquot; %> openid_response = openid_consumer.begin openid_url <%= submit_tag quot;Log in with OpenIDquot; %> <% end %> home_url = url_for :controller => quot;openidquot;, :action => quot;indexquot; </body> </html> complete_url = url_for :controller => quot;openidquot;, :action => quot;completequot; openid_redirect_url = openid_response.redirect_url(home_url, complete_url) redirect_to openid_redirect_url return end HTTP://WWW.LINUXJOURNAL.COM/ARTICLE/10104 11
  28. 28. TRANSMISSION COMPLETE SOURCES AVAILABLE ON DEL.ICIO.US 12

×